Login

Tag Archives: WordPress Support Forum

2 Oct 2018

WordPress Support Forum Moderators’ Micromanagement of the Support Forum Seems Counterproductive

Last week as part of our discussing the continued inappropriate behavior on the part of the moderators of the WordPress Support Forum, we discussed a situation where a moderator had deleted useful information that helped to link together a series of hacks related to a file generated by the plugin Duplicator. We had tried to note that deleting that information was problematic, but that message was itself deleted. Unfortunately the moderators don’t seem to be able to deal with the fact that others disagree with their actions, so instead of being able to have an adult professional conversation that could lead to a better situation for everyone, they simple respond by deleting things like that.  That isn’t supposed to be happening.

If you looked at the page Pre-defined Replies for Moderators the standardized reply if someone asks to have something deleted is this: [Read more]

26 Sep 2018

WordPress Team Has Time to Disable Our Account, Not Time to Make Sure 700,000+ Websites Don’t Remain Vulnerable

So yesterday we did our first full disclosures of WordPress plugin vulnerabilities due to the continuing inappropriate handling of the moderation of the WordPress Support Forum, as part of that we are only notifying the developers of plugins of these full disclosures through the WordPress Support Forum. If the moderators delete that then the developer wouldn’t get notified (unless the moderators do that, which they don’t look to have in the past based on what we have seen), so that would not be a good idea, so not surprisingly considering their past behavior that was exactly what they did. But they took it further by disabling our account as well:

[Read more]

25 Sep 2018

Our New Disclosure Policy in Response to the Continued Inappropriate Behavior of the WordPress Support Forum Moderators

When it comes to handling disclosure of vulnerabilities we think the best approach isn’t either of the extremes, responsible disclosure or full disclosure. You might actually call responsible disclosure, irresponsible disclosure, since it could involve never disclosing a vulnerability if it isn’t fixed, which is a bad idea when it shouldn’t be assumed that others can’t independently find the same vulnerability someone else found and they might be someone that is going to exploit it. Beyond the obvious issues that can come with full disclosure, there are other real world problems that it can cause. Our approach up until now has been what we refer to as reasonable disclosure, which in our case tries to balance the need to notify our customers, who are paying to be notified about vulnerabilities in WordPress plugins, of vulnerabilities in a timely manner as well getting vulnerabilities fixed before disclosure happens as much as possible.

Here is what our policy has been up until now: [Read more]

25 Sep 2018

WordPress Support Forum Moderators Stop People from Getting Help So They Can Promote Favored Security Companies

One of the ways that we keep track of vulnerabilities in WordPress plugins for our service is by monitoring the WordPress Support Forum for related topics. What we have seen is that unfortunately that often isn’t place where people with security issues can get real help, instead it used by the moderators of the forum to promote hiring certain security companies. Occasionally we have attempted to provide some help, but that has been severely hampered by the moderators (a situation that apparently has occurred for others as well).

As an example of that was a thread was started last week with the following: [Read more]

25 Sep 2018

WordPress Support Forum Moderators Engaged In Cover Up of Security Issues in WordPress Plugins

One of the really unfortunate things about the security issues related to WordPress plugins is how often people on the WordPress side of things are actually actively making things worse. Just yesterday we ran into another example, which at best shows they are engage in misguided behavior and are unable to work effectively with others who are actually trying to improve security.

On Saturday a thread was started on the WordPress Support Forum with a claim that a vulnerability in the plugin WooCommerce Product Addons (N-Media WooCommerce PPOM) was being exploited: [Read more]